1. Field of Art
The disclosure generally relates to computer security and in particular to exchanging information using Domain Name System (DNS) queries.
2. Description of the Related Art
The Domain Name System (DNS) can be used to query for information in real time. While the DNS was originally intended to support domain name resolution services, the DNS server resolving the query can include arbitrary information in the response. Moreover, the DNS is designed to work quickly. Therefore, the DNS is used to support types of queries beyond name resolution. For example, a security vendor can use DNS queries to provide security-related information to clients.
One difficulty with using the DNS to provide non-standard information is that the data exchange between the client and intended DNS server might fail. Clients often connect to the Internet through Internet Service Providers (ISPs) and some ISPs manipulate DNS traffic to their own ends. Some ISPs block DNS traffic destined to non-ISP controlled servers. In addition, some ISPs perform non-standard caching of DNS responses by, e.g., ignoring Time-To-Live (TTL) values and caching prior responses for longer than the responses' specified validity periods.
More problematically, some ISPs transparently proxy DNS queries. Such proxied queries appear to the querying client to have been answered by the authoritative DNS server but, in fact, are handled by the ISP's own DNS server. This transparent proxying cannot be detected by the clients because the standard DNS provides no way of verifying that the true authoritative DNS server responded to the DNS query. As a result, applications on the client can fail because the DNS query appears to resolve normally, yet the response from the DNS server contains outdated or otherwise incorrect information.
Therefore, there is a need for securely detecting transparently-proxied DNS connections, as well as for detecting other situations that might interfere with DNS queries.